Been working on deploying the NetScaler Unified Gateway for the last few weeks. Our goal is to simply create a unified page to access internal resources such as Outlook Web Access, Intranet, ShareFile, as well as XenApp/XenDesktop resources running on the new version of Citrix StoreFront 3.9. As a side note, I will be posting my customization code on StoreFront 3.9 in the coming weeks.

First let me discuss (again) about an issue I noticed with version of NetScaler NS11.0 running 63.16.nc when working with Content Switches and ZeroIP NetScaler Gateways.

I ran into a bug that crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP). Meaning, that I was binding a profile policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1. In my case I upgraded to the now latest version of 11.0 70.12nc.

Lets get started:

On your StoreFront server, make sure that the Enable Remote Access setting for the store is set to No VPN or Full VPN tunnel

In the web.config file, located in drive:/inetpub/wwwroot/citrix/storeweb, make sure to set X-Frame-Options to allow and Content-Security-Policy to frame-ancestors ‘self‘. You will see 3 entries for this. Make sure you change them all. This will allow the page to come up with all browsers including IE. Once the changes are made, simply reset IIS or reboot your SF server(s)

Optionally, you can bypass the Client Choices option on NetScaler Unified Gateway with a Responder policy. This way users wont have to click on the Client Access option, but instead be redirected to it after user log on.

To do this:

Create a Responder action based on the URL your users will be connecting to

It’s been a while since I posted something new. Lately I been primarily working with Cisco and Nutanix related techs, but now getting back to my good old Citrix roots (Forgot how fun it actually is).

Been working on a new deployment of the Citrix NetScaler Unified Gateway, which c’mon that is just a marketing name, technically it is nothing more than some pretty good Content Switching policies and actions, but lets not get into that 🙂

By the way I am actually in the middle of creating a post on how to deploy Unified Gateway, and integrating it with OWA, StoreFront 3.8 including customization code, ShareFile with on-prem storage, and a good old intranet/internal sites so we see how SSO works as part of the deployment. So look for that in the coming weeks.

Now before we get started. Watch out for the NetScaler build you are running! I ran into a bug which actually made the primary NetScaler crash (not a fun event to have to explain to management)

This darn bug in technical terms, crashed at a content switch bind (cs_state_bind) which our friends at Citrix confirmed they have seen this in earlier builds while binding a CS action to VPN vServer (ZeroIP). Meaning, that I was binding a Responder policy/action to a NetScaler Gateway with a ZeroIP, which is exactly what a content switch Netscaler Gateway actually is. Thought it was pretty amusing.

This bug is has been fixed from 11.0 Build 64.x and later, and 11.1. In my case I was running NS11.0 63.16.nc

Ok. Lets get started.

Create your Unified Gateway config (blog post coming soon)

Once you verify things are working, go ahead and connect to the new portal

By default after you authenticate, you get prompted with the Client Choices options page, this will confuse the hell out of your users. So lets get rid of this!

My goal was to select all client traffic to automatically get routed to the “Clientless Access” option without anyone clicking on it.

To accomplish this you simply need to create the following Responder action, and policy, then finally bind it to the NetScaler Gateway Content Switch the Unified Gateway config creates.

Here it goes:

Create a Responder action based on the URL your users will be connecting to

I been seeking an alternative for second factor authentication with Citrix NetScaler for a while, just sick of RSA and all its complexity and upgrades and tokens, etc. During my search for another method I was directed to Duo and was immediately excited about it. Duo combines modern two-factor authentication with advanced endpoint security solutions to protect users from account takeovers and data breaches.

Screenshots below are from my Apple Watch and iPhone using the “Push” option

Environment:

Citrix NetsScaler 11.0Build 63.16.nc

StoreFront 3.5

To integrate Duo with your NetScaler Gateway, you will need to install a local proxy service on a server within your network. Before proceeding, you should locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2008 R2 or later, Red Hat Enterprise Linux 6 or later, CentOS 6 or later, or Debian 6 or later).

On the Windows system you have chosen to host the Duo Authentication Proxy, launch the proxy installer and follow the on-screen prompts.

Configure the Proxy

After the installation completes, you will need to configure the proxy.

The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

[ad_client]
host=IP Address of your LDAP server (I use an LDAP VIP on NetScaler)
service_account_username=An LDAP Service account (Read only)
service_account_password=LDAP_Password
search_dn=dc=domain,dc=com (you can specify an OU, etc, but pointing to your root makes it easier and you can then select a user group.)

Done, now lets do some NetScaler work. The steps below will create a new NetScaler Gateway which will score an A+ with SSLLABS.COM

1. Create your DUO Radius Policy and Server, in the sample below I am using ns_true which will allow all traffic. You can certainly get creative and configure headers with Citrix Receiver information such as “REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver”

10. Set up Rewrite policies to automatically select the “I accept the Terms & Conditions” checkbox and enable the “Log On” button. In the end you will have 3 Rewrite policies enabled. One for selecting the checkbox automatically, the other for enabling the “Log On” button, and finally one to enable HSTS/STS which you will need to achieve the A+ score.

From time to time there may be a need to bring your remote access down due to scheduled maintenance. Sure all sorts of communication will be sent out, but the cold fact is that users don’t read or remember 😛

Below are the steps on how to manually display a maintenance page on your NetScaler Gateway to inform that the site is down.

Create a maintenance html page (code included below)

Create a Responder action which will redirect the traffic to the maintenance page.

Create a Responder policy to only be used when the traffic contains a specific fqdn (ex: remote.company.com) as well as specific index.html file.

Bind your Responder policy to your NetScaler Gateway vServer

Environment:

Citrix NetsScaler 11.0Build 63.16.nc

StoreFront 3.5

Lets get started:

Create your maintenance.html page and upload to the Netscaler, in my case I am using a very customized theme and uploaded to /var/netscaler/logon/themes/nameoftheme/custom_media

3. Create a Responder policy and assign the action from step 2. In my case, I am hosting several sites on a single gateway, so I needed to specify the hostname header and index.html file of my NetScaler Gateway site 😛

Next time your users go to your Gateway, in my case https://remote.company.com, they will all be redirected to the maintenance page, once work is done, you can unbind the policy and users will again be redirected to your Gateway main page.

unbind vpn vserver internal_portal -policy ns_gateway_maint_policy

Hope this helps 🙂

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Below are the steps I followed to score an A+ with Qualys while working on a new XenMobile 🙂 and NetScaler Unified Gateway deployment.

There are some caveats however since Citrix is now delivering TLS1.2 with TLS_FALLBACK-protection across all NetScaler products. Good right? well if you are running a version below 10.5.57.7.nc you will need to update your NS appliances.

10.5.57.7.nc is available to all NetScaler and NetScaler Gateway customers. With this release and above, you now can achieve and A+ regardless of the hardware platform including VPX running on your own hypervisor, MPX or SDX .

Please note TLS1-AES-256-CBC-SHA is needed to support older SOCKS-clients such as Receivers prior to 4.2.100 running on Windows and several others. This includes the XenMobile WorxMail client in STA-mode.

In the future this might change as Citrix moves forward with TLS1.2 support across their products.

Crate a new Cipher Group from the default Cipher Group and disable the RC4 suite as you will be capped to a B. There are some weaknesses with the RC4 Cipher Suite that could enable an attacker to decrypt the key stream. You can read more on how an attack against TLS/RC4 is possible by reviewing this PDF (http://cr.yp.to/talks/2013.03.12/slides.pdf)

Ran into difficulties customizing a new NetScaler 11 Gateway. Although I was happy to finally be able to apply themes per NetScaler Gateway vServer, I quickly saw that this new option presents new challenges if you are looking to customize beyond what the themes allow.

Our goal was to add footer information on the front page in order to provide Help Desk contact info, a Citrix Receiver download link and the RSA Self Service portal. With NS 11, the problem is that the index.html file is no longer constructed the same as it was with 10.x.

Lets understand this a bit more.

With NetScaler Gateway 11, the logon form and pretty much the entire index.html body, is generated by 2 javascript files (gateway_login_view.js and gateway_login_form_view.js).

gateway_login_view.js – creates the body and tables for the actual form

This naturally creates a headache if you are use to working with the 10.x firmware. As with 10.x you can accomplish most of the customization by directly modifying the index.html file, and creating a custom global policy user interface. On the other hand, this presented a challenge if you had to run multiple Gateway vServers with a custom UI, and you had to get pretty creative on how to overcome it.

For NS 11, I read a post where someone was struggling with a similar situation, luckily it pointed me in the right direction. The post suggested to modify or create a new gateway_login_view.js and/or gateway_login_form_view.js (you can read the post here).

Rather than modifying existing code or creating new files then having to deal with responder policies, etc. I figure I try to do this via the NetScaler Rewrite Policies and Actions to make it look something like the picture below.

Environment:

Citrix NetsScaler 11.0Build 63.16.nc

StoreFront 3.0

RSA 8.1

Let’s get started.

Add links at the bottom of the authentication page, unfortunately rewrite actions have a 255 character limit which you can easily bypass by adding “+” to the expression. Click here to view/download the syntax as WordPress messes with it.

With the new release of Citrix NetScaler 11, we now have the option to setup an End User License Agreement for users prior to logging in. After getting the NetScaler Gateway configured and enabling EULA policies, I thought it would be useful to have the check box enabled, and the Log On button turned on by default.

Below are the steps on how to set up Rewrite Policies and Rewrite Actions on the NetScaler to automatically check the EULA acceptance box, as well as turn on the Log on button.

The default behavior is to have users select the box every time prior to authenticating to the NetScaler Gateway 😦